BrainTest Malware Gets Smart in Google Play Store

“Brain-training” and IQ test games are popular at the moment, and mobile versions that people can pull up while waiting at the dentist’s or riding the subway are even more so. Enterprising malware authors have devised a way to take advantage of this, with a fresh malware in the Google Play Store, bundled in an intelligence-testing game.

According to Check Point Software, the game app, BrainTest, has been published to Play twice, with between 100,000 and 500,000 downloads each time, according to Google statistics. It was able to bypass Google’s security scanning of mobile apps using a range of techniques.

“It has an arsenal of privilege escalation exploits, which is used to install a rootkit on the device—so it can stay on the device even after the user uninstalls it,” Check Point researchers noted in an analysis. “The [rootkit] allows it to download and execute any code a cyber-criminal might want to run—for example, displaying unwanted advertisements, or potentially, downloading and deploying a payload that steals credentials from an infected device.”

The malware was first detected on a Nexus 5 smartphone, and even though the user attempted to remove the infected app, the malware reappeared on the same device shortly after.

The malware’s creators used multiple methods to evade detection by Google, including bypassing Google’s ‘Bouncer’ Android defense tool, which scans submitted apps in the Play store.

“It detects if the malware is being run from an IP or domain mapped to Google Bouncer and, if so, it will not perform its intended malicious activities,” Check Point explained. “An obfuscation tool was also used to disguise the malware so it could be re-uploaded to Google Play after the first instance was removed.”

Google removed the first instance of the app from Google Play on 24 August 2015, but it was soon back with another instance with a different package name, which uses the same code. That version was removed from Play on 15 September, but anyone who has downloaded the app should be aware of the issue.